CAUTION:  The following assumes that you are an administrator and have access to make chenges to registry settings. Changes made to the registry can cause serious problems if not done correctly. Ensure you are confident and familiar with making changes to the registry permissions before continuing. It is generally recommended that a backup is performed before modifying the registry. 

Following is a list of registry keys that Client Access requires access to:

HKLMSoftwareIBMClient Access

HKCUSoftwareIBMClient Access Express

HKLMSOFTWAREMicrosoftCryptographyRNG

HKCR

HKLMSoftwareMicrosoft

HKLMSystemCurrentControlSet

IBM Support suggests that the Windows default authority is placed on any registry key that the Client Access product attempts to read or write to. While most of these keys are accessed for READs, the first three are also updated. If the user that signed on to Windows cannot write to the first three keys listed, Client Access does not work. In previous versions of Client Access Express (V4R4, V4R5, and so on), Client Access also wrote to the classes root hive. In Client Access Express V5R1 Service Pack 2 (SI01907), Client Access was changed to minimize interaction with classes root and maximize use of the keys HKLMSoftwareIBMClient Access and HKCUSoftwareIBMClient Access Express. These keys are obviously meant for use by Client Access. They are less likely places for Windows Administrators to add extra security .

Access to these keys can be tested easily. Immediately after receiving the CWBLM0011 error, run REGEDIT and verify access to each key. For the first three keys, try to add a new key. For example, add a new key of TESTKEY to the HKLMSoftwareIBMClient Access key. If the currently signed on Windows user profile does not have write access to Client Access, a sub-key of TESTKEY fails upon creation. (Adding a TESTKEY key to a Client Access sub-key will not harm Client Access as the IBM software will not attempt to read it. If adding the key is successful, it can be deleted afterward).